Re: [DNG] WAIT_ONLINE_METHOD=none

[Mike Tubby]

On 16/02/2019 23:07, Didier Kryn wrote:

Le 16/02/2019 à 23:42, Dr. Nikolaus Klepp a écrit :
So openssh is blocked by random, which by some unknown reason takes ~ 
30 seconds to start on 4.19 (in contrast to ~ 1 second o 4.9)


    I've read things about that in other lists. There's a new 
requirement to have a big enough amount of random numbers (they call 
this entropy, as an extension of the physical concept to computing), 
in some new random generator. openssh requires that to be able to 
start securely. The only workaround, IMHO is to find a way to not wait 
until openssh is ready to continue the start up.


        Didier


If you install 'haveged' package /dev/random and /dev/urandom should (a) 
be better quality and (b) programs that need chunks of random data such 
as SSL on start-up should come up more quickly, i.e. not block waiting.


Mike





___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] iptables forced obsolescence over upgrade

[chillfan--- via Dng]

No, I do not need nft if I only intend to use iptables. This is just additional 
complexity. They think I need it sure, since they want to immediately start the 
transition to nft.

But I can just see this breaking things for people who like me built their own 
kernel for specific needs, such as servers where a lot of people will do just 
for performance or security reasons and will not include any nft support.

Actually, if they insist on transitioning to nft then at least they should warn 
during upgrade that the 'legacy' (as it's for some reason called) iptables has 
moved path.

Cheers,

chillfan

‐‐‐ Original Message ‐‐‐
On Saturday, February 16, 2019 6:35 PM, Alessandro Selli 
 wrote:

> On 16/02/19 at 11:26, chillfan--- via Dng wrote:
> 

> > And of course I don't need nft
> 

>   Yes, you do.
> 

>   For some reason  you don't want it, but that's a different matter.
> 

> 

> 
> 

> Alessandro Selli alessandrose...@linux.com
> VOIP SIP: dhatarat...@ekiga.net
> Chiave firma e cifratura PGP/GPG signing and encoding key:
> BA651E4050DDFC31E17384BABCE7BD1A1B0DF2AE



publickey - chillfan@protonmail.com - 0xB179B25B.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] unatternded upgrades by default in Debian

[Olaf Meeuwissen]

Hi Katolaz,

Apologies for the delay.

KatolaZ writes:

> On Thu, Feb 14, 2019 at 09:14:45PM +0900, Olaf Meeuwissen wrote:
>
> [cut]
>
>> > It's in my todo-list, but I would be grateful of you would be so kind
>> > to please open a bug on bugs.devuan.org, so we are sure we don't
>> > forget it.
>>
>> Against which package?
>
> Against tasksel, please.

Done.  It's bug#294 and stuck in the moderation queue because I appended
a rather long list of the recursive task-kde-desktop dependencies :-/

>> BTW, why again are we trying so hard to not pull in unattended-upgrades?
>> I think I lost track and considering my own Devuan (server) experiences,
>> which have been good, I'm not quite sure I still understand :-/
>
> Because this is something that users should be aware of, and clearly
> notified about. We are neither Microsoft nor Apple.

Ack.

> Unattended upgrades should be used by people who know what they want
> out of it. If you know (as you do, in this case), you also know how to
> find, install, and configure it. If you don't know what this is about,
> and unattended-upgrades is installed, you start believing in ghosts :)
>
>> # It was my Debian server that needed a dbus cluebat ... ;-)
>> # And then only because I insist on self-inflicted "pain" by telling APT
>> # to not install recommended packages in the first place.
>>
>> Your average KDE/GNOME desktop user might actually appreciate their
>> security upgrades getting applied "behind their backs" or "without user
>> intervention", depending on your point of view.
>
> Let's be honest: considering security an automatic process is just a
> myth, and a quite misleading one, IMHO :)

Security is not an automatic process but being able to automate some of
its steps definitely cuts down on the amount of work you need to put in.

> There is no single size that fits all the possible uses of
> unattended-upgrades, and while some users might find it desirable,
> some others might find that the "smart" upgrade silently broke their
> setup, in a way or another. This was the case with several important
> upgrades of stuff like php or mysql/mariadb in the past (mainly due to
> local customisations, I admit, but still, a sysadmin is free to do
> what they want on the system they manage...).

The machines I administer only have the packages installed that are
really needed.  There is no "fluff".  I keep /etc in git with the help
of etckeeper (and tweaked that to log which packages are upgraded from
which version to what version).  The services these machines provide are
all Dockerized.  The only time, so far, fingers crossed, that things
went awry was when the Docker folks pulled support for sysvinit :-/

> In general, in a server environment an admin wants to make sure that
> an upgrade actually does not stop the running services from doing
> their job as planned. Especially if there are customisations and/or
> other hacks put in place to hold things together.

Yes, that's why I run my services in Docker containers and test those
upgrades on other hardware before deploying.  Each service's set up is
kept under version control too.

I did disable unattended-upgrades when I went on a holiday to make sure
the host systems didn't go belly-up while I was away.  Don't worry, we
are doing something about me being a single point of failure ;-)

> IMHO, the reasonable solution is to make sure that unattended-upgrades
> does not slip in a standard Devuan installation unnoticed, under any
> circumstance. If a user know about it and want it running, it's just
> an `apt-get install` away.

While I agree with not letting slip unattended-upgrades in unnoticed,
I'd like to warn against saying that a package is just an `apt install`
away without giving real, concrete reasons (like you did above for the
case of unattended-upgrades) why a package dependency should be demoted
from a Recommends: to a Suggest: (or removed altogether).

Hope this helps,
--
Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Softwarehttps://my.fsf.org/donate
 Join the Free Software Foundation  https://my.fsf.org/join
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng